Multi-factor authentication (MFA) and two-factor authentication (2FA) have become critical for organizations to protect user accounts, assets and data, and for users to stay safe, especially as cybercriminals perfect ways to break through single-factor security. But what is the difference between 2FA and MFA?
There are three common types of authentication factors used to authenticate users:
Type 1: Knowledge - Something you know, such as a password, or answer to a question
Type 2: Possession - Something you have, such as a security key or token
Type 3: Inherence - Something you are, such as a unique biometric or behavioral characteristic
So, two-factor authentication (2FA) requires users to present two types of authentication, while MFA requires users to present at least two, if not more types of authentication. This means that all 2FA is an MFA, but not all MFA is a 2FA.
Even though both 2FA and MFA add enhanced security measures beyond username and password credentials, they each provide different levels of assurance that the person accessing the account is legitimate. So, is MFA more secure than 2FA? The short bittersweet answer is, it depends.
In general, any 2FA or MFA is more secure than single-factor authentication. However, the security added by any MFA strategy is as strong as the authentication methods chosen by risk professionals.
The layered approach adds security, but the inherent low security of a few authentication methods could still maintain low security even with MFA. As an example, an authentication relying on a password (knowledge), one-time password (OTP) (possession), and FaceID (Inherence) are more secure than only using a password, but both passwords and OTP methods are weak in security.
On the other hand, a 2FA used by an account supporting Recognition Signals, such as location behavior (Inherence) and Mobile Push (possession), both methods that are among the most difficult to crack, could be deemed more secure than the MFA with three different factors. That is why any MFA strategy is only as strong as the methods used.
The use of mobile recognition signals offers the possibility of stronger authentication methods for MFA.
The more layers added to MFA, the better for security. Higher security can prevent many bad actors from presenting a threat, but if users have to face high friction as well, most likely they will use other services. Users hate friction, particularly in their mobile user experience. In 2018, less than 10% of Google's users had activated optional two-factor authentication (2FA), so, it is clear that users choose a frictionless experience over security when given the chance. Even so, it is a necessity to keep users safe. So, how to give them the choice to have a frictionless experience and still provide an opportunity to choose enhanced security?
Recognition signals on mobile are one of the types of authentication that offer higher security with the lowest possible friction. By using sensors from mobile devices, it is possible to recognize anomalies in user and device behavior, such as location behavior that is not typical for the user. Location is proven to be the strongest trust signal for mobile. Data from Incognia’s network shows that 90% of the logins and 95% of the sensitive transactions at financial services Apps happen from a trusted location (a location that is often frequented by the user). That is why Incognia provides zero-factor authentication, an approach that could invoke MFA only when needed, depending on the identification of anomalies in behavior. If the user behavior is identified as trusted, there is no reason why they should face more friction to gain access to their accounts.
Any MFA strategy should rely on the highest security and lowest friction methods possible. 2FA is enough if the authentication methods are used to follow these same guidelines.